1
2
3NETWORK WORKING GROUP                                             L. Zhu
4Internet-Draft                                                  P. Leach
5Updates: 4120 (if approved)                                K. Jaganathan
6Intended status: Standards Track                   Microsoft Corporation
7Expires: April 14, 2007                                 October 11, 2006
8
9
10                     Anonymity Support for Kerberos
11                       draft-ietf-krb-wg-anon-02
12
13Status of this Memo
14
15   By submitting this Internet-Draft, each author represents that any
16   applicable patent or other IPR claims of which he or she is aware
17   have been or will be disclosed, and any of which he or she becomes
18   aware will be disclosed, in accordance with Section 6 of BCP 79.
19
20   Internet-Drafts are working documents of the Internet Engineering
21   Task Force (IETF), its areas, and its working groups.  Note that
22   other groups may also distribute working documents as Internet-
23   Drafts.
24
25   Internet-Drafts are draft documents valid for a maximum of six months
26   and may be updated, replaced, or obsoleted by other documents at any
27   time.  It is inappropriate to use Internet-Drafts as reference
28   material or to cite them other than as "work in progress."
29
30   The list of current Internet-Drafts can be accessed at
31   http://www.ietf.org/ietf/1id-abstracts.txt.
32
33   The list of Internet-Draft Shadow Directories can be accessed at
34   http://www.ietf.org/shadow.html.
35
36   This Internet-Draft will expire on April 14, 2007.
37
38Copyright Notice
39
40   Copyright (C) The Internet Society (2006).
41
42Abstract
43
44   This document defines extensions to the Kerberos protocol for the
45   Kerberos client to authenticate the Kerberos Key Distribution Center
46   and the Kerberos server, without revealing the client's identity.
47   These extensions can be used to secure communication between the
48   anonymous client and the server.
49
50
51
52
53
54Zhu, et al.              Expires April 14, 2007                 [Page 1]
55
56Internet-Draft         Kerberos Anonymity Support           October 2006
57
58
59Table of Contents
60
61   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
62   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
63   3.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
64   4.  Protocol Description . . . . . . . . . . . . . . . . . . . . .  5
65   5.  GSS-API Implementation Notes . . . . . . . . . . . . . . . . .  7
66   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
67   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
68   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
69   9.  Normative References . . . . . . . . . . . . . . . . . . . . .  9
70   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
71   Intellectual Property and Copyright Statements . . . . . . . . . . 11
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110Zhu, et al.              Expires April 14, 2007                 [Page 2]
111
112Internet-Draft         Kerberos Anonymity Support           October 2006
113
114
1151.  Introduction
116
117   In certain situations, the Kerberos [RFC4120] client may wish to
118   authenticate a server and/or protect communications without revealing
119   its own identity.  For example, consider an application which
120   provides read access to a research database, and which permits
121   queries by arbitrary requestors.  A client of such a service might
122   wish to authenticate the service, to establish trust in the
123   information received from it, but might not wish to disclose its
124   identity to the service for privacy reasons.
125
126   Extensions to [RFC4120] are specified in this document by which a
127   client can authenticate the KDC and request an anonymous ticket.  The
128   client can use the anonymous ticket to authenticate the server and
129   protect subsequent client-server communications.  These extensions
130   provide Kerberos with functional equivalence to Transport Layer
131   Security (TLS) [RFC4346].
132
133   By using the extensions defined in this specification, the client MAY
134   reveal its identity in its initial request to its own KDC, but it can
135   remain anonymous thereafter to KDCs on the cross-realm authentication
136   path, and to the server with which it communicates.
137
138
1392.  Conventions Used in This Document
140
141   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
143   document are to be interpreted as described in [RFC2119].
144
145
1463.  Definitions
147
148   The anonymous Kerberos realm name is a reserved realm name based on
149   [KRBNAM].  The value is the literal "RESERVED:ANONYMOUS".
150
151   The anonymous Kerberos principal name is a reserved Kerberos
152   principal name based on [KRBNAM].  The value of the name-type field
153   is KRB_NT_RESRVED [KRBNAM], and the value of the name-string field is
154   a sequence of two KerberosString components: "RESERVED", "ANONYMOUS".
155
156   Note that in this specification, the anonymous principal name and
157   realm are only applicable to the client in Kerberos messages, the
158   server MUST NOT be anonymous in any Kerberos message.
159
160   The transited field [RFC4120] of a ticket is an anonymous
161   authentication path if the tr-type field of the TransitedEncoding
162   type [RFC4120] is NO-TRANSITED-INFO and the contents field is an
163
164
165
166Zhu, et al.              Expires April 14, 2007                 [Page 3]
167
168Internet-Draft         Kerberos Anonymity Support           October 2006
169
170
171   empty OCTET STRING.
172
173           NO-TRANSITED-INFO    TBA
174
175   This means that no information of the authentication path is
176   disclosed.
177
178   The anonymous ticket flag is defined as bit TBA (with the first bit
179   being bit 0) in the TicketFlags:
180
181           TicketFlags     ::= KerberosFlags
182             -- anonymous(TBA)
183             -- TicketFlags and KerberosFlags are defined in [RFC4120]
184
185   An anonymous ticket is a ticket that has all of the following
186   properties:
187
188   o  The cname field [RFC4120] contains the anonymous Kerberos
189      principal name.
190
191   o  The crealm field [RFC4120] contains either the client's realm name
192      or the anonymous realm name.
193
194   o  The transited field [RFC4120] can contain either the client's
195      authentication path as described in Section 3.3.3.2 of [RFC4120]
196      or the anonymous authentication path.
197
198   o  The anonymous ticket contains no information that can reveal the
199      client's identity.  However the ticket MAY contain the client
200      realm and the realms on the authentication path, and authorization
201      data that MAY provide information related to the client's
202      identity.  For example, an anonymous principal that is only
203      identifiable within a particular group of users can be implemented
204      using authorization data and such authorization data, if included
205      in the anonymous ticket, shall disclose the client's membership of
206      that group.
207
208   o  The anonymous ticket flag is set.
209
210   The request-anonymous KDC option is defined as bit TBA (with the
211   first bit being bit 0) in the KDCOptions:
212
213           KDCOptions      ::= KerberosFlags
214             -- request-anonymous(TBA)
215             -- KDCOptions and KerberosFlags are defined in [RFC4120]
216
217
218
219
220
221
222Zhu, et al.              Expires April 14, 2007                 [Page 4]
223
224Internet-Draft         Kerberos Anonymity Support           October 2006
225
226
2274.  Protocol Description
228
229   In order to request an anonymous ticket, the client sets the request-
230   anonymous KDC option in an Authentication Exchange (AS) or Ticket
231   Granting Service (TGS) request [RFC4120].  The client can request an
232   anonymous TGT based on a normal TGT.  If the client wishes to
233   authenticate the KDC anonymously, it sets the client name as
234   anonymous in the AS exchange and provides a PA_PK_AS_REQ pre-
235   authentication data [RFC4556] where both the signerInfos field and
236   the certificates field of the SignedData [RFC3852] of PA_PK_AS_REQ
237   are empty.  Because the anonymous client does not have an associated
238   asymmetric key pair, the client MUST use the Diffie-Hellman key
239   agreement method by filling in the Diffie-Hellman domain parameters
240   in the clientPublicValue [RFC4556].
241
242   If the ticket in the PA-TGS-REQ [RFC4120] of the TGS request is
243   anonymous, or if the client in the AS request is anonymous, the
244   request-anonymous KDC option MUST be set in the request.
245
246   Upon receiving the AS request with a PA_PK_AS_REQ from the anonymous
247   client, the KDC skips the checks for the client's signature and the
248   client's public key (such as the verification of the binding between
249   the client's public key and the client name), but performs otherwise-
250   applicable checks, and proceeds as normal according to [RFC4556].
251   For example, the AS MUST check if the client's Diffie-Hellman domain
252   parameters are acceptable.  The Diffie-Hellman key agreement method
253   MUST be used and the reply key is derived according to Section
254   3.2.3.1 of [RFC4556].  If the clientPublicValue is not present in the
255   request, the KDC MUST return a KRB-ERROR [RFC4120] with the code
256   KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED [RFC4556] and there is no
257   accompanying e-data.  The client that made the anonymous request can
258   authenticate the KDC based on the KDC's signature in the reply.  If
259   the KDC does not have an asymmetric key pair, it MAY reply
260   anonymously.  In which case, both the signerInfos field and the
261   certificates field of the SignedData [RFC3852] of PA_PK_AS_REP in the
262   reply are empty.  The server name in an anonymous reply contains the
263   name of the TGS.  Upon receipt of an anonymous KDC reply, the client
264   MUST reject the returned ticket if it can not authenticate the KDC
265   otherwise.
266
267   The client can use its keys to mutually authenticate with the KDC,
268   and request an anonymous TGT in the AS request.  And in that case,
269   the reply key is selected as normal according to Section 3.1.3 of
270   [RFC4120].
271
272   For the TGS exchange, the reply key is selected as normal according
273   to Section 3.3.3 of [RFC4120].
274
275
276
277
278Zhu, et al.              Expires April 14, 2007                 [Page 5]
279
280Internet-Draft         Kerberos Anonymity Support           October 2006
281
282
283   When policy allows, the KDC issues an anonymous ticket.  Based on
284   local policy, the client realm in the anonymous ticket can be the
285   anonymous realm name or the realm of the KDC.  However, in all cases,
286   the client name and the client realm in the EncKDCRepPart of the
287   reply [RFC4120] MUST match with the corresponding client name and the
288   client realm of the anonymous ticket in the reply.  The client MUST
289   use the client name and the client realm returned in the
290   EncKDCRepPart in subsequent message exchanges when using the obtained
291   anonymous ticket.
292
293   During the TGS request, when propagating authorization data, care
294   MUST be taken by the TGS to ensure that the client confidentiality is
295   not violated.  The TGS MUST either fail the request or remove
296   authorization data that may reveal the client's identity.  An
297   optional authorization element unknown by the TGS MUST be removed if
298   it can be ignored (such as ones enclosed in the AD-IF-RELEVANT
299   structure).  The TGS can only strip critical unknown authorization
300   data if the ticket does not convey any rights such as those conveyed
301   by a KDCIssued authorization data element.  If a ticket contains a
302   KDCIssued authorization data element, then no other authorization
303   data elements may be removed if they could serve to limit the rights
304   conveyed by the KDCIssued element.  Here is a table of the known
305   authorization-data elements, tagged with whether they interfere with
306   client anonymity and recommendations for how to process them:
307
308         ad-type          References  Can Breach Confidentiality?
309     ------------------------------------------------------------------
310     AD-IF-RELEVANT        RFC4120     Yes, remove if unknown
311     AD-KDCIssued          RFC4120     Yes, fail the request if unknown
312     AD-AND-OR             RFC4120     Yes, remove if unknown
313     AD-MANDATORY-FOR-KDC  RFC4120     Yes, fail the request if unknown
314
315   The KDC fills out the transited field of the anonymous ticket in the
316   reply as follows: If the service ticket in a TGS request is an
317   anonymous ticket with a "normal" authentication path, then the
318   authentication path in the reply ticket MUST also contain a "normal"
319   authentication path, the TGS MUST add the name of the previous realm.
320   However, if the service ticket in a TGS request is an anonymous
321   ticket with an anonymous authentication path, then the reply ticket
322   can contain either an anonymous authentication path or a "normal"
323   authentication path, based on local policy of the KDC.  Thus a
324   "normal" authentication path in an anonymous ticket can be a partial
325   path, it may not include all the intermediate realms on the
326   authentication path.
327
328   The KDC fills out the authtime field of the anonymous ticket in the
329   reply as follows: If the anonymous ticket is returned in an AS
330   exchange, the authtime field of the ticket contains the request time.
331
332
333
334Zhu, et al.              Expires April 14, 2007                 [Page 6]
335
336Internet-Draft         Kerberos Anonymity Support           October 2006
337
338
339   If the anonymous ticket is returned in a TGS exchange, the authtime
340   field contains the authtime of the ticket in the PA-TGS-REQ
341   [RFC4120].  An anonymous ticket can be renewed, and the authtime
342   field of a renewed ticket is the authtime in the anonymous ticket on
343   which the renewed ticket was based.
344
345   If it is inappropriate to remove an authorization element from the
346   TGS request in order to produce an anonymous ticket, the KDC MUST
347   return an error message with the code KDC_ERR_POLICY [RFC4120].
348
349   If the client is anonymous and the KDC does not have a key to encrypt
350   the reply, the KDC MUST return an error message with the code
351   KDC_ERR_NULL_KEY [RFC4120] and there is no accompanying e-data.
352
353   If a client requires anonymous communication then the client MUST
354   check to make sure that the ticket in the reply is actually anonymous
355   by checking the presence of the anonymous ticket flag.  This is
356   because KDCs ignore unknown KDC options.  A KDC that does not
357   understand the request-anonymous KDC option will not return an error,
358   but will instead return a normal ticket.
359
360   The subsequent client and server communications then proceed as
361   described in [RFC4120].  No transited policy checking is needed for
362   the anonymous authentication path.  However, transited policy checks
363   defined in Section 2.7 of [RFC4120] would apply to an anonymous
364   ticket that contains a "normal" authentication path.
365
366   A server accepting an anonymous service ticket may assume that
367   subsequent requests using the same ticket originate from the same
368   client.  Requests with different tickets are likely to originate from
369   different clients.
370
371   Interoperability and backward-compatibility notes: the KDC is given
372   the task of rejecting a request for an anonymous ticket when the
373   anonymous ticket is not acceptable by the server.
374
375
3765.  GSS-API Implementation Notes
377
378   At the GSS-API [RFC2743] level, the use of an anonymous principal by
379   the initiator/client requires the initiator/client to assert the
380   "anonymous" flag when calling GSS_Init_Sec_Context().
381
382   GSS-API does not know or define "anonymous credentials", so the
383   (printable) name of the anonymous principal will rarely be used by or
384   relevant for the initiator/client.  The printable name is relevant
385   for the acceptor/server when performing an authorization decision
386   based on the name that pops up from GSS_Accept_Sec_Context() upon
387
388
389
390Zhu, et al.              Expires April 14, 2007                 [Page 7]
391
392Internet-Draft         Kerberos Anonymity Support           October 2006
393
394
395   successful security context establishment.
396
397   A GSS-API initiator MUST carefully check the resulting context
398   attributes from the initial call to GSS_Init_Sec_Context() when
399   requesting anonymity, because (as in the GSS-API tradition and for
400   backwards compatibility) anonymity is just another optional context
401   attribute.  It could be that the mechanism doesn't recognize the
402   attribute at all or that anonymity is not available for some other
403   reasons -- and in that case the initiator must NOT send the initial
404   security context token to the acceptor, because it will likely reveal
405   the initiators identity to the acceptor, something that can rarely be
406   "un-done".
407
408   GSS-API defines the name_type GSS_C_NT_ANONYMOUS [RFC2743] to
409   represent the anonymous identity.  In addition, Section 2.1.1 of
410   [RFC1964] defines the single string representation of a Kerberos
411   principal name with the name_type GSS_KRB5_NT_PRINCIPAL_NAME.  For
412   the anonymous principals, the name component within the exportable
413   name as defined in Section 2.1.3 of [RFC1964] MUST signify the realm
414   name according to Section 2.1.1 of [RFC1964].  Note that in this
415   specification only the client/initiator can be anonymous.
416
417   Portable initiators are RECOMMENDED to use default credentials
418   whenever possible, and request anonymity only through the input
419   anon_req_flag [RFC2743] to GSS_Init_Sec_Context().
420
421
4226.  Security Considerations
423
424   Since KDCs ignore unknown options [RFC4120], a client requiring
425   anonymous communication needs to make sure that the ticket is
426   actually anonymous.  This is because a KDC that that does not
427   understand the anonymous option would not return an anonymous ticket.
428
429   By using the mechanism defined in this specification, the client does
430   not reveal its identity to the server but its identity may be
431   revealed to the KDC of the server principal (when the server
432   principal is in a different realm than that of the client), and any
433   KDC on the cross-realm authentication path.  The Kerberos client MUST
434   verify the ticket being used is indeed anonymous before communicating
435   with the server, otherwise the client's identity may be revealed
436   unintentionally.
437
438   In cases where specific server principals must not have access to the
439   client's identity (for example, an anonymous poll service), the KDC
440   can define server principal specific policy that insure any normal
441   service ticket can NEVER be issued to any of these server principals.
442
443
444
445
446Zhu, et al.              Expires April 14, 2007                 [Page 8]
447
448Internet-Draft         Kerberos Anonymity Support           October 2006
449
450
451   If the KDC that issued an anonymous ticket were to maintain records
452   of the association of identities to an anonymous ticket, then someone
453   obtaining such records could breach the anonymity.  Additionally, the
454   implementations of most (for now all) KDC's respond to requests at
455   the time that they are received.  Traffic analysis on the connection
456   to the KDC will allow an attacker to match client identities to
457   anonymous tickets issued.  Because there are plaintext parts of the
458   tickets that are exposed on the wire, such matching by a third party
459   observer is relatively straightforward.
460
461
4627.  Acknowledgements
463
464   Clifford Neuman contributed the core notions of this document.
465
466   Martin Rex wrote the text for GSS-API considerations.
467
468   Nicolas Williams reviewed the GSS-API considerations section and
469   suggested ideas for improvements.
470
471   Sam Hartman and Nicolas Williams were great champions of this work.
472
473   In addition, the following individuals made significant
474   contributions: Jeffery Altman, Tom Yu, Chaskiel M Grundman, Love
475   Hoernquist Aestrand, and Jeffery Hutzelman.
476
477
4788.  IANA Considerations
479
480   Section 3 defines the anonymous Kerberos name and the anonymous
481   Kerberos realm based on [KRBNAM].  The IANA registry for [KRBNAM]
482   need to be updated to add references to this document.
483
484
4859.  Normative References
486
487   [KRBNAM]   Zhu, L., "Additonal Kerberos Naming Contraints", 
488              draft-ietf-krb-wg-naming, work in progress.
489
490   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
491              RFC 1964, June 1996.
492
493   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
494              Requirement Levels", BCP 14, RFC 2119, March 1997.
495
496   [RFC2743]  Linn, J., "Generic Security Service Application Program
497              Interface Version 2, Update 1", RFC 2743, January 2000.
498
499   [RFC3852]  Housley, R., "Cryptographic Message Syntax (CMS)",
500
501
502
503Zhu, et al.              Expires April 14, 2007                 [Page 9]
504
505Internet-Draft         Kerberos Anonymity Support           October 2006
506
507
508              RFC 3852, July 2004.
509
510   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
511              Kerberos Network Authentication Service (V5)", RFC 4120,
512              July 2005.
513
514   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
515              (TLS) Protocol Version 1.1", RFC 4346, April 2006.
516
517   [RFC4556]  Zhu, L. and B. Tung, "Public Key Cryptography for Initial
518              Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
519
520
521Authors' Addresses
522
523   Larry Zhu
524   Microsoft Corporation
525   One Microsoft Way
526   Redmond, WA  98052
527   US
528
529   Email: lzhu@microsoft.com
530
531
532   Paul Leach
533   Microsoft Corporation
534   One Microsoft Way
535   Redmond, WA  98052
536   US
537
538   Email: paulle@microsoft.com
539
540
541   Karthik Jaganathan
542   Microsoft Corporation
543   One Microsoft Way
544   Redmond, WA  98052
545   US
546
547   Email: karthikj@microsoft.com
548
549
550
551
552
553
554
555
556
557
558
559Zhu, et al.              Expires April 14, 2007                [Page 10]
560
561Internet-Draft         Kerberos Anonymity Support           October 2006
562
563
564Full Copyright Statement
565
566   Copyright (C) The Internet Society (2006).
567
568   This document is subject to the rights, licenses and restrictions
569   contained in BCP 78, and except as set forth therein, the authors
570   retain all their rights.
571
572   This document and the information contained herein are provided on an
573   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
574   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
575   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
576   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
577   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
578   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
579
580
581Intellectual Property
582
583   The IETF takes no position regarding the validity or scope of any
584   Intellectual Property Rights or other rights that might be claimed to
585   pertain to the implementation or use of the technology described in
586   this document or the extent to which any license under such rights
587   might or might not be available; nor does it represent that it has
588   made any independent effort to identify any such rights.  Information
589   on the procedures with respect to rights in RFC documents can be
590   found in BCP 78 and BCP 79.
591
592   Copies of IPR disclosures made to the IETF Secretariat and any
593   assurances of licenses to be made available, or the result of an
594   attempt made to obtain a general license or permission for the use of
595   such proprietary rights by implementers or users of this
596   specification can be obtained from the IETF on-line IPR repository at
597   http://www.ietf.org/ipr.
598
599   The IETF invites any interested party to bring to its attention any
600   copyrights, patents or patent applications, or other proprietary
601   rights that may cover technology that may be required to implement
602   this standard.  Please address the information to the IETF at
603   ietf-ipr@ietf.org.
604
605
606Acknowledgment
607
608   Funding for the RFC Editor function is provided by the IETF
609   Administrative Support Activity (IASA).
610
611
612
613
614
615Zhu, et al.              Expires April 14, 2007                [Page 11]
616
617
618